Meaningful Use and the Security Risk Assessment

I know it is hard to believe but I have spent years working on HIPAA Security Risk Assessments.  I have risk assessment boardconducted assessment, created tools to facilitate the work and even policies to facilitate the transition from the HIPAA Security Risk Assessment to the HIPAA Security Risk Management phase.

I have also spent quite a significant amount of time with Meaningful Use and facilitating attestation for Covered Entities.  The process as I found out could be quite smooth in a perfect world but; who lives in a perfect world?

Based on a study published in Medical Care, A National Study of Challenges to Electronic Health Record Adoption and Meaningful Use by Dawn Heisey-Grove, MPH, Lisa-Nicole Danehy, MHS, Michelle Consolazio, MPA, Kimberly Lynch, MPH, and Farzad Mostashari, MD, ScM,, one of the biggest challenges encountered by Providers is the security risk analysis.

I actually have encountered several interpretation of security risk analysis and as I admitted, even I have to change my own risk analysis with time.  However most of what I have seen does not meet the regulatory requirements of HIPAA Security.  Even worst is the fact that many Covered Entities have attested to Meaningful Use and when asked about the Security Risk Assessment simply answered yes without giving it a second thought.  My problems with this practice are as follows:

  •  A Risk Assessment is a requirement of HIPAA under 45 CFR 164.308(a)(1) independent of Meaningful Use so the same should have been completed even before they thought about Meaningful Use;

a.       Remember that under the Omnibus Rule Business Associates must follow this requirement as well.

  • Eligible professionals (EPs) must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.

a.       Answering Yes without actually having met this requirement may be considered fraud.

  • The government is actually conducting audits to ensure Covered Entities that received financial incentives have in fact met the Meaningful Use Requirements.

a.       Whether you miss one or all requirements the interpretation by the auditors is the same; you didn’t meet meaningful requirements and therefore must return all incentive monies.

So, since we know this is and will continue to be an issue, we decided to develop a couple of initiatives to help our peers.

  • We created a compliance software that has checklists to assist with the Risk Assessment and Risk Management requirements.  Users pay a set-up and monthly fee and then we prompt them with actions throughout the year.  The software also functions as a secured online depository where Covered Entities can upload their completed forms and have access to them thru the Internet.
  •  We will partially fund a number of risk assessments throughout the year.  Just e-mail me at [email protected] if interested on additional details.
  •  We have and will continue to write a number of courses and seminars to assist Covered Entities with these requirements which can be obtained thru Uber Univeristy.
  •  We will continue to offer assistance thru Taino Consultants Inc. to interested parties.

In Summary, we know conducting a Security Risk Assessment is not an easy task yet remember that if you are going to play the game you must follow the rules.